designing and implementing a world class risk … · 10/26/2012 · draft – for discussion...
TRANSCRIPT
DRAFT – FOR DISCUSSION PURPOSES ONLY
DESIGNING AND IMPLEMENTING A WORLD CLASS RISK AND CONTROLS MONITORING FUNCTION
Presented to New York IIA-ISACA NY Metro Chapters – October 26, 2012
Ray Purcell (Pfizer) and David Hodgson (Deloitte & Touche LLP)
- 2 - CONFIDENTIAL
The world’s premier
biopharmaceutical
company.
We make medicines and
vaccines that help people and
animals when they are sick and
prevent them from getting sick in
the first place.
- 3 - CONFIDENTIAL
Pfizer Today
manufacturing sites worldwide
revenue in 2011
$67 BILLION
89 150 countries
in which Pfizer sells products
#1 Primary Care, Specialty Care
and Animal Health businesses worldwide
100,000 colleagues
around the globe
MORE THAN
- 4 - CONFIDENTIAL
First Line Quality •At the Source
•Continuous Assessment
•Quality Control
•Transaction Processing
Risk Identification/Monitoring •Pan-Pfizer Strategic Link for Risk
•Monitoring & Escalation
•Identification of Trends and Opportunities
Corp. Oversight Corporate Audit
•Independent
•Risk-based
•Pan-Pfizer
Governance •Board
•ELT
•FLT
3
2
1
4 “Level 3” activities are performed
independently and periodically by
Pfizer Corporate Audit. One Audit
initiative focused on improving the
efficiency and effectiveness of “Level
3” activities.
“Level 2” activities are ongoing
risk, compliance and control
monitoring activities.
Examples:
•Monitoring key metrics (e.g., # of
account reconciliations
performed)
•Identifying trends across
markets/plants
“Level 1” activities are part
of the day to day business
operations. Finance One
has been impacting and
addressing “Level 1”
activities via process-
focused workshops and
recommendations over the
past several months.
Examples:
• Performing account
reconciliations
• Documenting results
Governance Model: The Four Lines of Defense
- 5 - CONFIDENTIAL
GRCC Project Overview and Anticipated Benefits
GRCC
Project
Overview
Improve the effectiveness of oversight and monitoring of internal controls and regulatory
compliance activities across Pfizer through:
1. Establishing a Compliance Center of Excellence (CoE) to enable consistency of
interpretation and execution of regulatory compliance activities and to provide clarity of
ownership
2. A redesign of Level 2 monitoring for in scope activities to enable a proactive risk based
approach and monitoring of key risk areas. Scope would include:
a. Centralized top level risk assessment
b. Monitoring of the following in scope activities:
a. FCPA / Healthcare compliance
b. Internal Controls over Financial Reporting (SOX)
GRCC
Anticipated
Benefits
Benefits
Enhanced accountability, consistency and transparency related to compliance activities
Greater alignment of market compliance and control efforts with Pfizer’s overall risk assessment
Reduced burden on the business through centralized approach to strategy and planning,
deployment of consistent methodologies, and streamlining of processes / sharing of leading
practices across markets
Reduced risk exposure due to greater transparency into risks, issues and trends across the
business on a continuous basis (enhanced enterprise-wide view)
Enhanced accountability and clear path for risk and issue escalation
- 6 - CONFIDENTIAL
GRCC Model Development Approach
GRCC Functional Model
Enabling Technology
Organization / Market
Redesign and
Optimization / Change
and Communications
Deep Dives
Baseline Data
Site Visits
Inputs
GRCC Methodology /
CQ Approach /
Reporting
Defined GRCC Activities for ICOFR/SOX, FCPA/GPIHP/GV
Industry Experience
GRCC Operating Model
Current State
Assessment
Workforce Plan Communications & Training Plan Implementation Roadmap
Implementation Strategy
Risk Adjusted View of
Locations (IA Risk
Assessment)
FCPA/HCC
• Governance &
Oversight
• Policies &
Procedures
• Risk
Identification &
Assessment
• Risk &
Compliance
Management
• Monitoring
• Reporting &
Escalation
• Communication
& Training
CQ ACTIVITIES
TAXONOMY
ITGC
ICOFR/SOX
Scope
Organizational
Design &
Headcount
Job Descriptions Roles and
Responsibilities
Governance
Framework and
Committees
Governance and
Oversight
GRCC Leader
FCPA/GPIHP/Global
Vet COE
ICOFR/SOX
COE
Compliance
COE
Markets
Management Risk
Committee Controller
BTQ&C Leader
Local
Leadership
Canada/DM
Europe
AfME/EM
Europe
Asia/Latin
America
- 7 - CONFIDENTIAL
Summary of the Key GRCC Roles – Process View
Governance &
Oversight
Develop common definitions, framework and risk appetite
For FCPA and HCC, leverage framework and risk appetite established by Corporate Compliance
Policies &
Standards
Interpret policies, identify key control requirements and drive development of guidance related to
areas in scope
Identify new/changed ICOFR laws and regulations and develop ICOFR related policies
Risk Identification,
Assessment &
Measurement
Design the risk and control self-assessment (“RCSA”) methodology and approach
Lead, coordinate and facilitate the RCSA process and review results
Risk & Compliance
Management
Recommend continuous improvement of controls through automation and streamlining and
oversee remediation of gaps in high risk areas
Provide guidance on the development of action plans related to high risk areas
Risk & Compliance
Monitoring Design effective ongoing monitoring approaches
Perform risk based monitoring (analytics, metrics, select sample testing, etc.)
Risk & Compliance
Reporting &
Escalation
Report key risk, compliance and control information to key stakeholders based on their needs.
Develop escalation protocols and escalate issues up
Process Key GRCC Activities
Communication &
Training Develop overall training plans, review or facilitate development of local training using a risk
based approach
- 8 - CONFIDENTIAL
Updated GRCC Functional Model and Key Functional Responsibilities
GRCC Leader
Compliance
COE
Management Risk Committee
Overs
igh
t S
tra
teg
y
an
d P
lan
nin
g
Imp
lem
enta
tion a
nd M
onitoring
* Detailed deployment strategy for Geography and Market/BU GRCC
resources will be determined during detailed implementation planning
VP/Controller
Americas
Regional
Leader
Europe
Regional
Leader
Asia
Regional
Leader
AfME
Regional
Leader
Healthcare Law
Compliance/
FCPA COE
ICOFR/SOX COE
• Oversight and sets ‘tone at the top’
• Critical issue escalation
• Set mission, goals, and guiding principles for GRCC
• Communicate key activities, trends and results
• Risk-based resource allocation
• Coordination with other risk groups (e.g. Corporate Audit (“CA”),
Compliance)
• Perform monitoring activities at the market level
• Coordinate with market/site/plant level regarding design and
implementation of controls to address risk
• In market point of contact for CA
• Identify emerging or changing risks in the market
• Market/regionally located, business unit agnostic
• Risk based deployment of resources
• Interpret new or changing regulations for the risk area
• Lead the risk assessment process for the risk area
• Determine control requirements based on risk profile
• Determine governance framework and approach for monitoring
• Aggregate monitoring results and generate consolidated reporting
• Focal point of contact to business unit leaders for unique issues
• Deploy methodologies, tools and training to the markets
• Evaluate results of monitoring activities for risks, issues and trends
• Identify emerging or changing risks in the geography
• Communicate with FDs, Controllers, business, CA, etc. (e.g.,
implementation/monitoring, changes in business strategy, etc.)
• Regionally located, business unit agnostic
*Markets/Plants (i.e., Emerging Markets, Developed Markets,
GFS)
**Local
Leadership
**BT Q&C Leader
** Outside of the GRCC Function
- 9 - CONFIDENTIAL
GRCC Governance Framework and Connection with the Business
Management Risk Committee
The Top Down View
Risk and control appetite, risk policies, guidelines, and
framework
Aggregation and Integration
Risk, compliance and control metrics and key trends
Co
rpo
rate
Au
dit
Markets, Plants and Corporate Functions
(e.g. Corporate BT, Finance, GFS, Business Divisions)
GRCC Function
Data Collection
Risk and control metric inputs
Operational View
Practices and procedures, guidance on risk mitigation, facilitation of risk assessment
The goal of the GRCC functional model is to provide a pan-Pfizer approach to managing and monitoring risks in scope.
However, a strong connection to the business and appreciation of the unique nature of the business divisions/units will also
be required for the success of the GRCC function.
Management Risk Committee composition
includes Divisional Finance Leaders and
other key stakeholders
• COE will be organized to provide
divisional representation/ expertise and
act as a focal point of contact to the
business
• GRCC will work in close collaboration
with Controllers, Legal, Compliance and
BT Q&C
Front line ownership and accountability for
risks and controls reside in this group
- 10 - CONFIDENTIAL
Risk and Compliance Monitoring (approximately 50%
depending on market)
– Execute CQ monitoring activities using guidance, tools, and templates
provided by GRCC Leadership including:
• Coordination and execution of market internal control self-
assessment and certifications
• Coordination and execution of SOX 302 and 404 certifications
• Execution of analytical reviews
• Performing walkthroughs of key controls
• Performing sample based reviews in the areas of ICOFR,
FCPA/GPIHP/GV, and T&E to identify control deficiencies
Risk and Compliance Reporting and Escalation (Less than
5%)
– Report results of compliance quality activities using guidance and tools
developed by GRCC Leadership; execute escalation protocols designed
by GRCC Leadership for deficiencies or issues identified as a result of
the execution of compliance quality activities
Training (Less than ~ 5%)
– Facilitate development of periodic training materials related to ICOFR,
FCPA/GPIHP/GV, and T&E including new hires and contractors;
perform periodic training in the market on ICOFR, FCPA/GPIHP/GV,
and T&E
Other Compliance Activities (~ 15%)
– Implement and support business in roll-out of new compliance
requirements and changes in policies and procedures and CoE
Compliance initiatives
Standardization of the CCR Role: In-Scope Processes and Activities
Governance (Less than 1%)
– Provide input on the strategy for financial reporting and FCPA/GPIHP/
GV risk management, compliance quality activities and reporting
Policies and Procedures (Less than 5%)
– Provide in market support, guidance, and consultation to ensure process
and internal control changes are documented in local SOPs; streamline
and harmonize local policies; work with BPOs/Legal to develop and
maintain a central repository for local SOPs; maintain a change
management process for local SOPs
Risk Identification, Measurement and Assessment (Less
than 5%)
– Execute and coordinate annual ICOFR and FCPA/GPIHP risk
assessment; consult on design and maintenance of a standard
methodology by GRCC leadership to identify and prioritize existing and
emerging ICOFR and FCPA/GPIHP/GV risks and controls
Risk and Compliance Management ( ~ 25% to 30%
depending on market)
– Provide local consultation and support with guidance on controls, best
practices; document ICOFR RCMs using guidance provided by GRCC
Leadership and maintain baseline of controls; provide support and
guidance to BPOs in the development, execution, and documentation of
remedial actions for any deficiencies; responsible for preparing annual
FCPA and GPIHP Trend Analysis and certification
Of the activities listed below, we estimate that a majority (upwards of 90%) are currently being performed by RAMs (CCRs) at some
degree, although inconsistent across Pfizer. Additionally, certain compliance activities may be currently performed by other Finance
colleagues (e.g., Trend Analysis) in some markets. Provided below is an approximate percentage of time CCRs would allocate to each
specific process depending the on market.
- 11 - CONFIDENTIAL
What have we learned?
Some things worked well that we thought would be challenging
• Stronger support than expected from our Finance Directors in the field
• The compliance professionals in the field reacted very positively to being part of a global effort
• Both internal and external audit have been very supportive
There were some unexpected challenges
• There is a constant demand for training, and deep dive training that provides detailed guidance
• It is difficult to do this without effective tools / technology
• Balancing the monitoring and advisory roles is always going to be a challenge
Key lessons learned
• Change management matters: having a clear vision, communicating it well and constantly, and
delivering the training needed to enable people to succeed in the new roles are all very important. Plan
to measure and monitor your progress to make sure the change is fully and consistently implemented.
• Connecting the efforts of people across sixty countries requires effective tools and technology.
• Our work can help us to better mitigate risk while also introducing efficiencies through the application of
our specialized skills and knowledge, working in collaboration with our partners in business finance.
As we appraise the project at the end of the first year, it has been a success
Looking ahead, the challenge of Year Two will be to move from a start-up mode to
business-as-usual, from a project mode to one of sustainable and consistent processes.